.:SSLFail:.

A while back we posted a screenshot of the Rogers Webmail SSLFail. I decided to follow-up with Rogers to see if they were going to resolve the issue anytime soon. I contacted Rogers and asked if they were going to fix the issue, a couple of days later (July 11th) I received a canned response with no real information:

Dear Tyler,

Thank you for taking the time to write to us, we appreciate your use of
online customer service.

In your recent email, you have informed us that you would like to know
when we will fix an issue with SSL warnings.

Please accept our apologies for any difficulties that you may have
experienced while using Rogers services. Rogers strives for excellence
in customer service and we’re sorry that we did not meet your
expectations. Be assured that we take your concerns very seriously, and
appreciate the feedback that you have provided and this has been sent to
the appropriate group for their review. If you have any further
questions or requests please let us know.

Thank you for contacting Rogers. For additional information please visit
our website at www.rogers.com. You are a valued customer and we thank
you for your business.

For future email correspondence with respect to this e-mail, please
quote reference number XXXXXXXX

I have recieved no additional communication to let me know if they would be fixing this issue or not. I’m guessing they don’t take their SSL issues to be very serious as the issue still exists.

As a side note, in order to contact Rogers about a “website issue”, I had to provide an account number. The account 12345679 was accepted, but I couldn’t believe I needed an account number in order to contact them about there website. That’s ridiculous.

I have to say that when I came across this blog post, I just sat there laughing. Then I stopped laughing when I realized what an issue this is, could you imagine if many sites started doing this and people believed that their transactions were “secured” by SSL. Everyone talks about compliance standards but maybe we need something a little more serious. A way of shutting down sites that do something like this, or at the very least, a fine that causes severe monetary impact to their business.

I realize that you can’t police the internet, but individual countries can police companies that operate within their borders, so let’s start there. We simply need someone to bring it up at the G8 meeting, after all this is much more important than all the discussions on the fictitious issue of global warming. If you require a business permit to operate in a business legally and have to pay taxes and abide by laws, subject the companies to additional regulations related to tricking the customer on the web, or not following best practices. It’s that simple.

I’m sure people will argue that it’s impossible to police the internet, which is why you stick to this per country basis. There will always be malicious sites that dupe the user… that’s unavoidable but in the countries that can do something… do it. Punish these businesses for malicious actions. Take the example that started this post, slap aferry.co.uk with a $10,000 fine. See if they bypass buying that $10 SSL cert again.

We had an interesting screen shot sent in today from Sheldon (his post on the subject).  It appears as though the SSL certificate on LinkedIn expired today and they waited until after the expiration to update their cert, leaving people with SSL errors temporarily. This doesn’t seem like a great way to foster user trust, I’d prefer my sites update their certificates early, rather than wait for them to expire. If this was a matter of they forgot the date and weren’t ready for the expiration, then I’m really concerned, that mistake should not happen… especially with a site I trust with so much of my personal information.